From: Stanislav Malyshev <stas@php.net>
Date: Tue, 27 May 2014 00:50:14 +0000 (-0700)
Subject: Fix bug #67328 (fileinfo: numerous file_printf calls resulting in performance degrada... 
X-Git-Tag: php-5.4.30RC1~43
X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=4005f06df6a0f81f38f02a7afaf0760279a3cd6f;p=php

Fix bug #67328 (fileinfo: numerous file_printf calls resulting in performance degradation)

Upstream patch: https://github.com/file/file/commit/b8acc83781d5a24cc5101e525d15efe0482c280d
---

diff --git a/NEWS b/NEWS
index 7918b17c15..3643227385 100644
--- a/NEWS
+++ b/NEWS
@@ -32,7 +32,8 @@ PHP                                                                        NEWS
 
 - Fileinfo:
   . Fixed bug #67327 (fileinfo: CDF infinite loop in nelements DoS). 
-    (CVE-2014-0238).
+  . Fixed bug #67328 (fileinfo: fileinfo: numerous file_printf calls resulting in
+    performance degradation).
 
 - FPM:
   . Fixed bug #66908 (php-fpm reload leaks epoll_create() file descriptor). 
diff --git a/ext/fileinfo/libmagic/cdf.c b/ext/fileinfo/libmagic/cdf.c
index 99b6889ef5..4712e84942 100644
--- a/ext/fileinfo/libmagic/cdf.c
+++ b/ext/fileinfo/libmagic/cdf.c
@@ -948,7 +948,7 @@ int
 cdf_unpack_summary_info(const cdf_stream_t *sst, const cdf_header_t *h,
     cdf_summary_info_header_t *ssi, cdf_property_info_t **info, size_t *count)
 {
-	size_t i, maxcount;
+	size_t maxcount;
 	const cdf_summary_info_header_t *si =
 	    CAST(const cdf_summary_info_header_t *, sst->sst_tab);
 	const cdf_section_declaration_t *sd =
@@ -963,21 +963,13 @@ cdf_unpack_summary_info(const cdf_stream_t *sst, const cdf_header_t *h,
 	ssi->si_os = CDF_TOLE2(si->si_os);
 	ssi->si_class = si->si_class;
 	cdf_swap_class(&ssi->si_class);
-	ssi->si_count = CDF_TOLE2(si->si_count);
+	ssi->si_count = CDF_TOLE4(si->si_count);
 	*count = 0;
 	maxcount = 0;
 	*info = NULL;
-	for (i = 0; i < CDF_TOLE4(si->si_count); i++) {
-		if (i >= CDF_LOOP_LIMIT) {
-			DPRINTF(("Unpack summary info loop limit"));
-			errno = EFTYPE;
-			return -1;
-		}
-		if (cdf_read_property_info(sst, h, CDF_TOLE4(sd->sd_offset),
-		    info, count, &maxcount) == -1) {
+	if (cdf_read_property_info(sst, h, CDF_TOLE4(sd->sd_offset), info,
+		count, &maxcount) == -1) 
 			return -1;
-		}
-	}
 	return 0;
 }